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ML5 is a programming language for spatially distributed computing, based on a Curry-Howard cor- 
respondence with the modal logic S5. However, the ML5 programming language differs from the 
logic in several ways. In this paper, we give a semantic embedding of ML5 into the dependently 
typed programming language Agda, which both explains these discrepancies between ML5 and S5 
and suggests some simplifications and generalizations of the language. Our embedding translates 
ML5 into a slightly different logic: intuitionistic S5 extended with a lax modality that encapsulates 
effectful computations in a monad. Rather than formalizing lax S5 as a proof theory, we embed it 
as a universe within the the dependently typed host language, with the universe elimination given by 
implementing the modal logic's Kripke semantics. 



1 Introduction 

One of the many benefits of formalizing programming languages and logics is that the process of formal- 
ization, and the constraints of the particular techniques used, can lead to new insights about the system 
being studied. This paper provides a worked example of this phenomenon, investigating the ML5 pro- 
gramming language for spatially distributed computing J23ll . ML5 has previously been formalized |23] 



using syntactic methods in Twelf II26I1 . However, we wished to give a semantic interpretation of ML5 
into a dependently typed pro gram ming language, as a first step towards extending work on embeddings 



of security typed-languages H22TI to account for spatially distributed access control, as in the PCML5 
extension of ML5 [7]. Our semantic formalization of ML5 provides insight into several discrepancies 
between ML5 and the logic upon which it is based, and suggests some simplifications and generalizations 
of the language, as we now describe. 

ML5 facilitates distributed programs that deal with located resources, such as a database on a server, 
the browser display on a client, or heap references on any particular site. When a distributed program 
running at one site attempts to access a resource located at another site, the program must either com- 
municate with the other site or fail. Because tacit communication makes it very difficult to reason about 
the execution time of a program (e.g. every memory dereference might involve a network communica- 
tion), ML5 is based on the stance that all communication should be explicit in the program. However, 
rather than letting accesses from the wrong site fail dynamically, ML5 employs a type system based on a 
Curry-Howard correspondence with the modal logic S5 to catch these errors statically. ML5 is defined as 
an intuitionistic modal logic in the style of Simpson Jj^ll . where hypotheses and conclusions are consid- 
ered relative to worlds, which represent places on a network. The ML5 typing judgement has the form 
x\ : A\[w\],. . . ,x n : A n \w n ] h e : C[w], where A; and C are modal types and w,- and w are worlds. 
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Despite being designed by a correspondence with S5 modal logic, the ML5 programming language 
differs from S5 in several ways: First, ML5 ensures that all communication is explicit in the program by 
providing only a single communication primitive that, operationally, goes to world w', runs e, and brings 
the resulting value back to w: 

r\-e:A[w'} A mobile 
rh gete :A[w] 

The condition A mobile rules out instances of get where A is, for example, ref int — which would take 
a reference that should be used at w' and turn it into a reference that should be used at w, violating the 
intended typing guarantees. 

Second, in the standard presentation of S5, elimination rules for positive connectives such as sums al- 
low an arbitrary conclusion, which is unconnected to the principal formula. In ML5, this rule is tethered, 
in that the world in the conclusion must be equal to the world in the premise: 



ThAVB[w] 
r,x:A[w] V-C[W] 
T,x:B[w}Y-C[w'} 

r h C[w'] 



untethered case 



rhAVB[w] 
T,x:A[w] hC[w] 
r,x:B[w] hC[w] 

rhc[w] 



tethered case 



ML5 makes the tethering restriction because the obvious operational interpretation of the untethered rule 
requires communication (go to w to run the principal formula). Indeed, the untethered rule is derivable 
using get. However, this tethering is at odds with the Kripke semantics of modal logic, where AV8[iv] 
is interpreted as A[w] or B[w] — if the interpretation commutes with disjunction, then a disjunction should 
be eliminable no matter the conclusion of the sequent. 

Third, ML5 includes two different D-like modalities with the same introduction rule. The first is writ- 
ten £3 A, while the second, VwA at w, is a composition of the connective V (quantification over worlds) 
and the hybrid logic ||5|] at modality, which internalizes the judgement A[w] as a connective. (Hybrid 
logic is between modal logic (truth is relativised to worlds) and first-order logic (propositions may men- 
tion worlds)). The two connectives are eliminated differently: ML5 distinguishes a syntactic category of 
values from ordinary expressions, and E3 A can be eliminated to construct a value but \/wA at w cannot. 

In addition to these discrepancies, there is some confusion over the meaning the world in ML5 value 
judgements v :: A[w] and expression judgements e : A[w]. An expression judgement means that e is an 
expression that must be evaluated at w, and produces a value v :: A[w], but what does the world in the 
value judgement mean? One cannot think of values as just a subset of expressions, as the value rules 
for certain connectives, such as at and £3, would violate the property that all communication happens 
through get. Additionally, in the dynamic semantics of the ML5 internal language given in Section 3.3 
of Murphy [23Q, get e returns the entire value of e to the calling world, so the value judgement does not 
mean that the value v is physically located at w. 

In this paper, we propose a new logical foundation for ML5, which explains the differences between 
ML5 and S5 and clarifies the role of the world in a value judgement. We translate ML5 into the intuition- 
istic logic S5 extended with a lax modality, written O ^» that encapsulates effectful computations in a 
monad Ill0l. ll5l. l2in. This monadic distinction between pure terms and effectful computations is already 
tacit in ML5's distinction between values and expressions — and in intermediate languages used in the 
ML5 compiler (e.g. the CPS language in Murphy 1231] ). which include elimination forms for "values" as 
"values". Here, we draw out this distinction by formalizing a monadic interpretation of ML5, and make 
some improvements to the language based on this formulation. 
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In our interpretation, ML5 values of type A [w] are interpreted as pure terms of type A*(w), where A* 
is a monadic translation of A, and we write B(w) for a worlded type in the lax modal logic. On the other 
hand, potentially effectful ML5 expressions are interpreted as inhabitants of type (O A*)(w). The role 
of the world in a value judgement, i.e. the role of the world in B(w), is to describe where the resources 
in subexpressions of the type A may be used and where the computations in the type A must be run. For 
example, the value judgement (ref int D O un 't)( c '' en t) describes a function that takes a reference that 
must be used at the client and produces a computation that must be run at the client. 

Our interpretation explains the three discrepancies between ML5 and S5 mentioned above: the get 
primitive is an extra operation on the monad O that allows a computation that must be run at one world 
to be run from another. The tethered case rule is a derived rule: in ML5, the scrutinee of the case is an 
effectful expression, so it is necessary to sequence evaluating this expression with an actual case analysis 
on the value produced — and it is the sequencing that requires tethering. Indeed, we show that we can 
enrich ML5 with an untethered case rule on values, which would permit simpler code. Finally, the £3 
connective can be eliminated in favor of V and at, given the standard pure elim rules for these types. 

Rather than formalizing lax S5 as a proof theory, we embed it inside a dependently typed host lan- 



guage, Agda II25H . First, we define a lax logic for distributed programming, L5, which is embedded in 
Agda using an indexed monad of computations at a place. Next, we define a universe of hybrid modal 
types, HL5, and give them meaning by interpretation into L5 — i.e. we define a syntax of HL5 types, 
along with a function interpreting them as L5 types. Finally, we translate ML5 into HL5. This technique 
saves us the work of defining a proof theory for HL5, and additionally allows us to inherit the equational 
theory of the meta-language, which can be exploited in proving that the semantics validates the opera- 
tional semantics of ML5. While it is simple to embed type systems specified by standard judgements of 
the form x\ : A\,...,x n : A n h e : C as a universe, it requires a bit of thought to adapt these techniques 
to languages with modal type systems, such as HL5. In previous work on programming with variable 



binding 12011 . we employed a technique for embedding such modal type systems: intuitionistic modal 



logics can be given a Kripke semantics in first-order intuitionistic logic [28], and we can formalize this 
semantics in a dependently typed language host language. However, the presentation of this technique 
in that paper was somewhat obscured by the particular example. In this paper, we present this technique 
in a simpler setting, and apply it to explain the proof theory of ML5. The Agda code for this paper is 
available from www . cs . emu . edu/~drl. 

We briefly review Agda's syntax; see the Agda Wiki (wiki .portal . Chalmers . se/agda/) for 
more introductory materials. Dependent function types are written with parentheses as (x : A) -> 
B. An implicit dependent function space is written as {x : A} -> B or V {x} -> B and arguments to 
implicit functions are inferred. Non-dependent functions are written as A -> B. Functions are written as 
A x -> e. Named functions are defined by clausal pattern-matching definitions. Set is the classifier of 
classifiers in Agda, like the kind type in ML or Haskell. 



2 L5 

In this section, we define an interface for distributed programming in Agda, based on lax logic ilOU l5ll. 
We define a type of worlds and a family of monads 10 w S indexed by worlds, which represent an 
effectful computation that runs at world w and produces a value of type S. 

World : Set 
server : World 
client : World 
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10 : World -> Set -> Set 

return : V {w S} -> S -> 10 w S 

_»=_ : V -Cw S S'} -> 10 w S -> (S -> 10 w S') -> 10 w S' 

get : V {w' w S} -> 10 w' S -> 10 w S 

Ref : World -> Set -> Set 

_:=_ : V {w S} -» Ref w S -> S -> 10 w Unit 
! : V {w S} -> Ref w S -> 10 w S 
new : V {w S} -> 10 w (Ref w S) 

The definitions are parametrized by a type of worlds, which we here assume to contain client and server. 
10 w Sis axiomatized as a monad, with return and bind (»=), along with an additional operation get 
that allows the computation to switch to a different world. The command get can be thought of as a 
remote procedure call, which goes to w ' , runs the given command, and then brings the resulting value 
back to w. Next, we define a type Ref w S of heap references located at world w. The operations for 
setting (:=), getting (!), and creating (new) references require the reference to be at the same world as 
the computation. 

Because these types are embedded in Agda, they may interact freely with the host language types — 
e.g., a computation may return value of any Agda Set, and we can use Agda n and £ types to quantify 
over worlds. 

In Agda, we use the postulate keyword to assume an implementation of this interface. Under the 
hood, these operations can be implemented using foreign-function calls, e.g. interpreting 10 k A as the 
10 monad in Haskell. A trivial implementation of this interface may run all computations in a single 
executable on a single machine. A more realistic implementation would require compiler support for (a) 
compiling a single program to run on multiple hosts and (b) marshaling and unmarshaling all values (the 
ML5 compiler implements both of these). We also give a high-level abstract operational semantics for 
computations in the companion code. 

L5 satisfies the design goals of ML5: it ensures that resources are only used by a computation running 
at the appropriate world, and it also makes all communication explicit via get. 

The following example illustrates the use of the indexed types Ref and 10, as well as the get opera- 
tion on the monad: 

update : (Ref server (10 server Unit)) -> 10 client Unit -> 10 client Unit 
update 1 clicomp = get{server} (1 := (get{client} clicomp)) 

This function takes a reference at the server that stores a callback computation, which itself runs at the 
server, as well as a computation that runs on the client, and produces a computation that runs on the 
client. This computation goes to the server (the outer get), and updates the callback ref (1) to point to a 
computation that goes back to the client and runs clicomp (the inner get). Omitting either get causes 
a type error, preventing resources from being used at the wrong location. In fact, nothing about the code 
is specific to the worlds client and server, so we can make it polymorphic in the worlds: 

update' : (wl : World) (w2 : World) -> Ref w2 (10 w2 Unit) -> 10 wl Unit -> 10 wl Unit 
update' wl w2 1 compl = get{w2} (1 := (get{wl> compl)) 

3 HL5 

A disadvantage of L5 is that types can be somewhat verbose, as they they repeat the same world multiples 
times (e.g. both client and server occur twice in the type of update). A hybrid modal type system, 
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as in ML5, permits more concise specifications: one writes a modal type A, which for the most part does 
not mention worlds, and then interprets it relative to a world at the outside by writing A < w >. In this 
section, we define HL5, which is a hybrid type system constructed on top of the above lax logic. We 
define HL5 by semantic embedding into L5 (which itself is just a library in Agda): we define a syntax 
of HL5 types, and then an interpretation function mapping HL5 types to functions from worlds to Agda 
Sets (or, thinking constructively, predicates on worlds). 

3.1 HL5 Types 

The datatype of HL5 types is defined as follows (note that Agda allows multiple datatype constructors 
per line): 

data Type : Set where 

_D_ _V_ : Type -» Type -> Type 
V5 35 : (World -> Type) -» Type 
_at_ : Type -> World -> Type 

O : T yP e -> T yP e 
ref : Type -» Type 

The types D and V represent functions and sums (the notation _V_ allows V to be used infix). The types 
V5 and 3 5 represent quantifiers over worlds. Next, at is a connective of hybrid logic, which allows types 
to set the world at which the type is interpreted. Finally, O an d ref represent monadic computations and 
references; note that they are not indexed by a world. Box and diamond can be defined using quantifiers 
and at: □ A = V5 (A w -> A at w) and A = 3s (A w -> A at w). 

Below we define the interpretation function A < w >, which takes a modal type and a world and 
produces an Agda Set. Using modal types, we can rewrite the type of update as follows: 
update : (((ref (O T)) at server) D O T D Q T) < client > 

The type ( (ref (Q> ~D ) at server) Z) Q) T D Q T says that update takes a reference to a 
computation, located at the server, along with a computation, and produces a computation. The Agda 
function A < w > takes a Type and a World and produces a Set; here, it is used to say that the whole 
type is interpreted relative to the client. 

The above polymorphic update ' is typed as follows: 
update' : (CKV5 (A w2 -» ref (O T) at w2 D O T ^ O T )» <*> 
where the postfix symbol <*> : Type -»• Set means that the proposition is true in all worlds (i.e. A 
<*> means the Agda type {w : World} -> A < w >). The outer □ binds the "client" world (i.e. the 
world for the computations in O T D O ~0; the inner V5 binds the "server" world (i.e. the world of 
the ref (O T). 

3.2 Interpretation 

We define an interpretation function A < w > interpreting a type A and a world w as an Agda classifier (a 
Set). Then the proof of an HL5 judgement Al < wl > . . . h C < w > is an Agda function of type 
Al < wl > . . . -> C < w >. This interpretation is a constructive Kripke semantics — i.e. a Kripke 
semantics of an intuitionistic modal logic in intuitionistic first-order logic, relative to the Kripke structure 
given by the type WorldQ The interpretation is defined as as follows: 

'Technically, we omit two of the pieces of a Kripke structure: World is the set of states, but because we are representing S5, 
we can elide the accessibility relation, and because we do not have uninterpreted base Types, we do not need an interpretation 
of them. 
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_<_> : Type -> World -> Set 
(ref A) < w > = Ref w (A < w >) 

(O A ) < w > = 10 w ( A < w >) 

(A at w') <_>=A<w' > 

(A Z> B) <w> = A<w>^B<w> 

(A V B) < w > = Either (A < w >) (B < w >) 

(V 5 A) < w > = (w' : World) -> (A w') < w > 

(3 5 A) < w > = E \ (w' : World) -> (A w') < w > 

The main action of the translations is to annotate ref and O with the world at which the type is being 
interpreted. The hybrid connective at interprets its body at the specified world, ignoring the current 
world. Otherwise, the translation interprets each connective as the corresponding Agda Set-former, with 
the translation applied recursively. Note that the interpretation of D is simply when giving a Kripke 
semantics for intuitionistic logic in a classical meta-language, it is necessary to interpret A D B as if it 
were boxed, by quantifying over future worlds; but because our meta-language is intuitionistic, this is 
not necessary here. 

The function <*> : Type -> Set is defined to be the Agda set {w : World} -> A < w > — A is 
true in all worlds, with the world itself an implicit argument to the function. Agda verifies that the modal 
types of update and update ' reduce to the explicit types given above. 

This formalization has several benefits: we can immediately use Agda to program in the modal logic, 
and existing Agda code can be used at modal types. For example, one can check that this definition 



validates all of the rules of intuitionistic S5 [28], by implementing the proof that the Simpson rules 
are sound for the Kripke semantics. The untethered elimination rule for disjunction and a projective 
elimination rule for at are defined as follows: 

casev : V {A B C w w'} ^ AVB<w> 

-> (A < w > -> C < w' >) -> (B < w > -> C < w' >) 

-> C < w' > 
casev (Inl e) bl b2 = bl e 
casev (Inr e) bl b2 = b2 e 

unatv :V{Aww'} -> (Aatw')<w> -> A<w'> 
unatv x = x 

Additionally, we can see that the return and bind operations on the monad have their expected types 
at any world: 

hl5ret : V {A} -> A D O A <*> 
hl5ret = return 

hl5bind : V {A B} -» O A D (A D Q B) D Q B <*> 
hl5bind = _»=_ 

The type of bind insists that all three O s be at the same world: sequencing tethers the premise to the 
conclusion. 

Having considered return and bind, it is natural to ask what hybrid type can we ascribe to the get 
operation on the indexed monad 10 w A. If we try defining 

hl5get : V {A wl w2> -> ((OA) at wl) D ((O A) at w2) <*> 

we see that hl5get must transform 10 wl (A < wl >) into 10 w2 (A < w2 >). L5 get satisfies this 
requirement if A is a constant function of its world argument, in which case A < wl > is the same Agda 
Set as A < w2 >. 
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We characterize constant modal types by the property that they yield the same Set for any two 
arguments: 

Constant : Type -* Setl 

Constant A = V {w w'} -> EqSet (A < w >) (A < w' >) 

Here EqSet is an Agda relation expressing that the two Sets are equal classifiers (in fact, we need a 
notion of equality that compares the bodies of IT and £ on all arguments, which we borrow from OTT fl]); 
it is equipped with an operation coerce : V {A B} -> EqSet A B -> A -> B. It is simple to prove 
that A at w is constant, and that the connectives V D V5 3s preserve constantness. Neither ref nor O 
is constant, as their interpretation directly mentions the world. Thus, the constant types are those where 
all ref s and s we guarded by an at. 

Now, we can ascribe get the following monadic type: 

hl5get : V {A wl w2> -> Constant A -> ((O A) at wl) D ((O A) at w2) <*> 
hl5get con e = get e >= \ v -> return (coerce con v) 

hl5get is equivalent to get, using the monad laws and the fact that coercion based on a proof of EqSet 
is the identity (at least up to extensional equality), 



4 ML5 

In this section, we give inductive definitions of the syntactic apparatus of ML5: First, we define the syntax 
of types. Next, we represent programs using an intrinsic encoding, which represents only well-typed 
syntax (i.e. typing derivations or natural deduction proofs). Variables are represented as well-scoped de 
Bruijn indices — pointers into a typing context, which is an explicit parameter to the typing judgements. 
The static semantics requires an auxiliary definition of a mobility judgement on types, which is defined 
below. 



4.1 Types 

data Type5 : Set where 

_V_ : Type5 -> Type5 -> Type5 
V5 EI5 : (World -> Type5) -» Type5 
_at_ : Type5 -» World -» Type5 
ref : Type5 -» Type5 
8 : (World -> Type5) -» Type5 

The type — represents partial functions, and the type V represents sums. The types V5 3s cdat and ref 
are the same as in HL5. There is an additional type constructor "shamrock", rendered here as 0, which 
is a D-like modality, but its rules in the ML5 proof theory are subtly different than the rules for V5 (A 
w -> A at w). 

We represent types with free world variables as Agda functions from worlds to types. This is per- 



missible because World is defined prior to type (i.e. we are using Weak HOASMl l Ulql). If World is 
chosen to be a base type in Agda, then it adequately represents ML5 types as in Murphy [23]. If instead 
World is chosen to be an inductive type, this representation yields a language with type-level case anal- 
ysis over worlds — i.e. one could define types whose structure varies depending on their world, such as 
35 (A w -> if w = server then nat else bool) ; we leave an exploration of the practical uses of 
this alternative to future work. 
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4.2 Mobility 

ML5's notion of mobility identifies constant functions, analogously to the Constant relation on HL5 
types above. 

data Mobile5 : Type5 -> Set where 
mat5 : V {A w} -> Mobile5 (A at w) 
mQ5 : V {A} -» Mobile5 (£3 A) 
-- no rule for — 1 or refs 

mV5 : V {A B} -> Mobile5 A -> MobileS B -> Mobile5 (A V B) 
mV5 : V {A} -> ((w' : _) -> Mobile5 (Aw')) -> Mobile5 (V 5 A) 
m35 : V {A} -> ((w' : _) -> Mobile5 (Aw')) -> Mobile5 (3 5 A) 

To foreshadow the interpretation: £3 is always mobile, essentially because V5 (A w -> (A w) at w) is 
constant. Functions are never mobile, because they hide a O i n their domain, and O is not constant. 

4.3 Typing judgements 

ML5 judgements have the form r h e : A [ w ] and r h v : : A [ w ] . These judgements mean 
that the expression e and the value v are well-formed with modal type A at world w. Here T contains 
assumptions x : A [w] and u ~ w . A. The former, a value hypothesis, means that x stands for a value of 
type A at world w. The latter, a valid hypothesis, means that u stands for a value of type A that makes sense 
at all worlds (w is bound in A). In the operational semantics, we will substitute a proof of the judgement 
w: world h v : : (A w) [ w ] for a valid variable. 

We combine both of the above judgements into one Agda type, denning a relation Thy. Here T is 
a list of hypotheses, which are either value (A [ w ] ) or valid (w. A) and / is a conclusion, which 
is either exp (A [ w ] ) (for expressions) or value (A [ w ] ) (for values). As in the syntax of types, 
w . A is represented by an Agda function from worlds to types, h binds more tightly than ->, so we can 
write e.g. r h CI -> T h C2 for (r h CI) -> (r h C2). 

We define the notation A [ w ] to mean the pair of A and w, and we define sum types for hypotheses 
and conclusions as follows: 

data Hyp : Set where 

value : (Type5 x World) -> Hyp 
valid : (World -> Type5) -» Hyp 

data Cone : Set where 

exp : (Type5 x World) -> Cone 
value : (Type5 x World) -» Cone 

Ctx = List Hyp 

Term variables x and u are represented by well-scoped de Bruijn indices — pointers into T: 

data {A : Set} : A -> List A -> Set where 

iO : ia : A} {T : List A> -> a G (a : : D 
iS : fa a' : A} fr : List A> -* a G F -* a G (a' : : D 

The typing rules are defined in Figure Q] The first rule says that (> x) is a value if x is a de Bruijn 
index for a value assumption in T. The next rule represents the application of a valid assumption in T 
to a world w; we use prepositional equality Id to state that the conclusion type is A w because otherwise 
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the higher-order conclusion blocks pattern-matching, lam takes an expression in an extended context 
to a value of function type; this rule expresses the idea that a function of type A — B in a world w is 
an expression of type B at w, hypothetically in a variable standing for a value of type A at w. Sums are 
introduced by commuting the world with the connective, hold switches worlds to introduce an at; wlam 
and wpair introduce quantifiers in the usual way; the world in the conclusion does not change (also, note 
the parentheses, which in Agda's notation for datatype constructors are the only difference between the 
two rules: the premise of wlam is a function, whereas wpair has two premises). However, note that the 
body of a wlam is a value, not an expression — ML5 has a value restriction on world quantification, to 
support type inference in the style of ML. sham both quantifies over a new world and switches the world 
of the conclusion — indeed, this is the derived intro rule that one would expect for 8 A = V5 (A w -> 
(A w) at w). 

val injects values into expressions, whereas let sequences the evaluation of two expressions, put 
runs an expression of mobile type and then binds the resulting value as a valid assumption, app and wapp 
eliminate functions and universals, with the world along for the ride. The remaining rules are pattern- 
matching-style elimination rules. In these rules, the world in the conclusion C [ w ] is tethered to the 
world in the principal premise, as discussed in the introduction. 

This system is the ML5 internal language described in Section 4.3 of 12311 with one minor change: 
we have eliminated the syntactic class of valid values, which allowed validity to appeal - as a conclusion 
as well as as a hypothesis — valid values are unnecessary because validity is invertible on the right. An 
alternate formalization with valid values is included in the companion code. 

5 Semantics 

Our semantics explains the meaning of an ML5 program by translation into HL5. As discussed above, our 
translation clarifies the essential difference between the role that the world plays in the judgements value 
(A [ w ] ) and exp (A [ w ] ) : a value hypothesis or conclusion value (A [ w ] ) is interpreted as 
a pure term of HL5 type (ef f A) < w >, where ef f A is a monadic translation of A. Thus, the role of 
the world w is only to describe where the resources in A may be used and where the computations must be 
run. On the other hand, an expression exp (A [ w ] ) is interpreted as a monadic computation of type 
(O (eff A)) < w >, so the world determines both the site at which the effectful computation must be 
run and where the resources/computations in A may be used. 

5.1 Type Translation 

The type translation from ML5 types to HL5 translates £3 to HL5 □, adds a O to tne codomain of — (as 
in any monadic translation J2lll ). and is defined compositionally otherwise. The ML5 connective V5 has 
a value-restriction, so there is no O inserted in its body. Note that Agda allows datatype constructors to 
be overloaded, so we can have both ML5 types and HL5 types in scope at once. 

eff : Type5 -> Type 

eff (A — B) = eff A D 0( eff B > 

eff (A V B) = eff A V eff B 

eff (V 5 A) = V 5 (A w -> (eff (A w))) 

eff (3 5 A) = 3 5 (A w -> eff (A w)) 

eff (A at w) = (eff A) at w 

eff (ref A) = ref (eff A) 

eff (8 A) = V 5 (A w -> ((eff (A w)) at w) ) 
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data 



(r : Ctx) : Cone -> Set where 



-- values 

> : V {A w} 
-> value (A [ w ] ) E T 
-> r h value (A [ w ] ) 



>v : V {w A C} 
-> valid A G r 
-> T h value (C 

lam : V {A B w} 
-> (T ,, value (A 
->Th value (A - 



-» Id C (A w) 
[ w ]) 



[ w ] ) ) h exp 
- B [ w ]) 



(B [ w ]) 



lete : 

-» r i 
-> (r 
-» r i 



get5 



V {A C w} 

- exp (A [ w ] ) 

,, value (A [ w ] ) ) 

- exp (C [ w ] ) 



V {A w w 
h exp (A 
h exp 



} 

[ V ]) 
(A [ w ]) 



put : V {A C w} 

^ T h exp (A [ w ]) 
-> (r ,, valid (\ _ -> 
^ T h exp (C [ w ]) 



A)) 



exp (C [ w ] ) 



Mobile5 A 



Mobile5 A 

h exp (C [ w ] ) 



inl : V {A B w} 
-> T h value (A [ w ]) 
-> T h value (A V B [ w ]) 

inr : V {A B w} 
-> T h value (B [ w ]) 
-> r h value (A V B [ w ]) 

hold : V {A w w'} 
-> T h value (A [ w' ]) 
-> T h value ((A at w') [ w ]) 

wlam : V {A w} 
-> ((W : _) -> r h value ((Aw') [ w ])) 
-> r h value (V5 A [ w ] ) 

wpair : V {A w} 

-> (w' : World) 

-> T h value ((Aw') [ w ]) 

-> r h value (O5 A) [ w ]) 



app : V {A B w} 

^ T h exp (A B [ w ]) 

-» T h exp (A [ w ]) 

^ T h exp (B [ w ]) 

wapp : V {A w} 

^ T h exp (V 5 A [ w ]) 

(w' : World) 
^ T h exp ((A w') [ w ]) 

case : V {A B C w} 

^ T h exp (A V B [ w ]) 
-» (r ,, value (A [ w ]) h exp (C [ w ])) 
-» (r ,, value (B [ w ]) h exp (C [ w ])) 
-> T h exp (C [ w ]) 

wunpack : V {A w C} 

-> T h exp ((3 5 A) [ w ]) 
-> C(W : _) -» 

T „ value ((Aw') [ w ] ) h exp (C [ w ] ) ) 
^ T h exp (C [ w ]) 



sham : V {A w'} 
-> ((w : _) -> r h value (Aw [ w ])) 
-> T h value (S A [ w' ]) 

expressions 

val : V {L} 
-> T h value L 
-> T h exp L 



leta : V {A w w' C} 

-> T h exp ((A at w') [ w ]) 

-> (r ,, value (A [ w' ]) h exp (C [ w ])) 

^ T h exp (C [ w ]) 

lets : V {A w C} 

^ T h exp (£3 A [ w ]) 

-» (r ,, valid A h exp (C [ w ])) 

-> T h exp (C [ w ]) 



Figure 1 : ML5 Static Semantics 
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A simple induction verifies that mobile ML5 types translate to constant HL5 types: 
eff -mobile : V {A} -> MobileS A -> Constant (eff A) 

5.2 Term translation 

Next, we interpret hypotheses and conclusions. Values and expressions are interpreted as described 
above (note that forL = A [ w ], fst L = A and snd L = w). A valid hypothesis is interpreted as 
the Agda set (w : World) -»• (interp-hyp (value (A w [ w ]))), though to appease the termi- 
nation checker we have to unroll the definiton of interp-hyp. 

interp-hyp : Hyp -> Set 

interp-hyp (value L) = (eff (fst L)) < (snd L) > 
interp-hyp (valid A) = (w : World) -> (eff (Aw)) < w > 

interp-conc : Cone -> Set 

interp-conc (value L) = interp-hyp (value L) 
interp-conc (exp L) = (Q) (eff (fst L))) < (snd L) > 

Next, we interpret the syntax (Figure [2]). The Agda type Everywhere P xs represents a list with 
one element of type P x for each element x in xs; we use this to represent a substitution of semantic 
values for syntactic variables. The usual prepositional connectives are interpreted in the standard way, by 
sequencing evaluation if necessary and then applying the corresponding Agda introduction or elimination 
form. Subexpressions that are under bound variables are interpreted in an extended context (e.g. e in 
lam e). ListM . EW . there looks up a de Bruijn index into T in a substitution of type Everywhere P T. 

sham is interpreted as an Agda function, which is applied in the translation of the ov rule for us- 
ing valid variables. There are no Agda term constructors for at, so the translation simply proceeds 
inductively. The quantifiers are interpreted by supplying the world arguments in the syntax, rather than 
by extending the substitution (recall that the proof terms wlam and wunpack contain Agda functions). 
Recall that the body of wlam is already a value, so no further evaluation is necessary. 

val and lete are interpreted directly as return and bind. get5 is translated as a get in the target, 
followed by a coercion by the mobility proof, put e extends the substitution with the value of e, applying 
the mobility proof to the value so it can be used at any other world. 

Agda verifies that the interpretation is type correct and total, establishing that the interpretation is 
total and type-preserving. 

6 Revised ML5 

In this section, we simplify and generalize the ML5 source language based on the above semantics. First, 
our analysis has shown that Mobile5 A really means that A [ w ] and A [ w' ] are equal types for 
any w and w'. We can internalize this principle as a value coercion vshift in Figure [3] This makes 
it possible to implement some additional programs without communication. For example, consider a 
function 

move : V {A w w'} -» Mobile5 A -> (value (A [ w ] ) :: [] ) h exp (A [ w' ]) 
move m = (get5 (val (> iO)) m) 

Operationally, this is quite inefficient: it sends the value of the variable from w' to w, as the environment 
of the val (> iO) closure, and w then returns this value back to w'. This whole process is unnecessary, 
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eval : V -{X L} -> T h L -» Everywhere interp-hyp T -> interp-conc L 

-- usual connectives 

eval (> x) (7 = (ListM.EW. there (7 x) 

eval (lam e) (7 = A x -> eval e (x E: : (7) 

eval (app el e2) <7 = (eval el (7) >= 1 f -» (eval e2 (7) >= A a -* f a 
eval (inl v) (7 = Inl (eval v <j) 
eval (inr v) <J = Inr (eval v (7) 

eval (case e el e2) (7 = eval e (7 >= docase where 
docase : Either -> 
docase (Inl x) = eval el (x E:: (7) 
docase (Inr y) = eval e2 (y E: : (7) 

-- E3 

eval (>v{w> x Refl) (7 = (ListM.EW. there (7 x) w 

eval (sham v) (7 = A w' -* (eval (v w') cO 

eval (lets e e') (7 = eval e (7 >= A x -> eval e' (x E: : (7) 

-- at 

eval (hold v) C7 = eval v (7 

eval (leta e e') (7 = eval e (7 >= A x -> eval e' (x E: : (7) 
-- V and 3 

eval (wlam v) C7 = A w -> eval (v w) (7 

eval (wapp e w) (7 = eval e (7 >= A f -> return (f w) 

eval (wpair w v) (7 = w , eval v (7 

eval (wunpack e e') (7 = eval e (7 »= A p -> eval (e' (fst p)) (snd p E: : (7) 
-- monad operations and world movement 
eval (val v) (7 = return (eval v (7) 

eval (lete el e2) C7 = eval el (7 »= A x -> eval e2 (x E: : (7) 

eval (get5{A} e mob) (7 = get (eval e (7) >= A v -> return (coerce (eff -mobile mob) v) 
eval (put e mob e ' ) (7 = eval e (7 »= A v -> 

eval e' ((A w' -> coerce (eff-mobile mob) v) E: : a) 

Figure 2: Interpretation of the syntax 



as the value was available at w' to begin with! However, it does not seem possible to implement this 
function without communication in ML5. In our revised ML5, as in HL5, it can be implemented as a 
simple type coercion: 

move : V {A w w'} -> Mobile5 A -> (value (A [ w ] ) :: □ ) h exp (A [ w' ]) 
move m = val (vshift (> iO) m) 

Second, in HL5, the worlding of values always "gets out of the way" because it commutes with type 
constructors down to ref and O- m Figure we add these non-local elimination rules for values of 
each connective to the source. For example, we add the untethered case rule for values of sum type and 
a projective elimination rule for at and V5 values. 

We could additionally add elimination rules like case, split, etc. to the syntactic class of "values" — 
i.e. we could admit that we are really dealing with a syntactic class of pure terms: 

casev/val : V {A B C w' w} -> T h value (A V B [ w ]) 

-> (r ,, value (A [ w ]) h val (C [ w' ])) -> (r ,, value (B [ w ]) h val (C [ w' ])) 
-> T h val (C [ w' ]) 

However, in an operational semantics where worlds and types are erased at run-time, wappv and unatv 
will not create any real redexes at run-time, whereas casev/val will. Thus a reasonable design choice 



D. Licata & R. Harper 



81 



New value rules: 

vshift : V {A w w'} -> T h value (A [ w ]) -> Mobile5 A^Th value (A [ w> ]) 

wappv : V {A w} -> T h value (V 5 A [ w ] ) -> (w' : World) -> T h value ((A w') [ w ]) 

unatv : V {A w w'} -> T h value ((A at w') [ w ]) -> T h value (A [ w' ]) 

New expression rules: 

casev : V {i B L »} -> T h value (A V B [ w ] ) 

-> (r ,, value (A [ w ]) h exp L) -> (T ,, value (B [ w ] ) h exp L) 
-> T h exp L 

wunpackv : V {A w L} -> T h value ((3s A) [ w ]) 

-> ((w' : _) -> r ,, value ((Aw') [w]) h exp L) -> T h exp L 

Remove rules put, >v, lets, sham, wapp, leta, case, wunpack. 

Figure 3: Revised ML5 



for ML5 would be to allow wappv and unatv but not the corresponding case rule. 

It is simple to extend the semantics to these new constructs, as they were derived from it: 

eval (vshift e m) (7 = coerce (eff-mobile m) (eval e <7) 
eval (wappv e w') (7 = eval e (7 w' 
eval (unatv e ) (7 = eval e (7 

eval (casev v el e2) (7 = docase (eval v c) where 

docase : Either -> 

docase (Inl x) = eval el (x E: : c) 

docase (Inr y) = eval e2 (y E: : c) 
eval (wunpackv v e') (7 = let p = eval v (7 in eval (e' (fst p)) (snd p E: : (7) 

Derived Forms Once we have added the aforementioned rules, we can remove rules put, t>v, lets, 
sham, wapp, leta, case, wunpack, which become derivable. Shamrock is defined using V5 and at in 
the straightforward way: B A = V5 (A w -> A w at w). Validity is defined as a value assumption of 
shamrock type: valid A = value ( (E3 A) [ dummy ]), where dummy is any arbitrary world — £3 A is 
mobile, and therefore constant, but because all value assumptions are worlded, we must pick one. 

The term t>v, which represents a use of a valid hypothesis, is derived by eliminating a shamrock. The 
term put is derived by introducing a shamrock, using vshift to retype the assumption in the body — we 
use letv to refer to the substitution principle plugging a value in for a variable, and we use weaken for 
weakening in the de Bruijn syntax. 

I>v : V {T A C w} -> valid A 6 T -> Id C (Aw) -> T h value (C [ w ]) 
>v i Refl = unatv (wappv (t> i) _) 

put : V {T A C w} -> T h exp (A [ w ]) -> Mobile5 A 

-> (T valid (\ _ -> A)) h exp (C [ w ]) -*■ T h exp (C [ w ]) 
put e m e' = lete e (letv (wlam (\ w' -> hold (vshift (> iO) m) ) ) 

(weaken (extendC iS) e')) 

The remaining derivabilities show that the old rules for the connectives are derivable using the new ones. 

7 Related Work 



Murphy [23Q describes ML5 and related languages, such as work by Jia and Walker fll9ll . 
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Altenkirch and McBride J^, Benke et al. 0], Chlipala 1 12], Crary [14] describe other uses of uni- 
verses and semantic embeddings in type theory, though they do not consider embedding a modal type 
system. We have used the same technique for embedding a hybrid type system in Agda in previous 
work Il20ll . Our technique is quite similar to that of Allen |2[], who defines modal types as display forms 
for NuPRL types. The technical difference is that Allen considers the modal types simply as notation, 
whereas in our approach the modal types are data, equipped with a translation to meta-language types. 
This shows how to achieve similar convenience of notation, without requiring separate display-form 
facilities. Avron et al. |Q] consider representations of modal logics in LF 1 13], some of which use world- 
indexed judgements to track scoping. We also use a world-indexed type family A < w >, but this relation 
is denned semantically (by interpretation into Agda) rather than syntactically (by inference rules). 

At the core, our interpretation reduces ML5 to L5, a language with an indexed monad 10 w A of 
computations at a place. Indexed monads have been studied in a variety of previous work, including 
Abadi et al. [1], Atkey |0], Nanevski et al. |24], Russo et al. |27]. However, to interpret ML5, we require 
the programming language to provide quantification over the indices to the monad, which DCC |[l]], for 
example, does not provide. It would be interesting to adapt our work to these other settings, using a 
modal logic to manage the indices to the monad. 



8 Conclusion 

While we have used Agda for our development, we conjecture that the work described in this paper 
could be earned out with similar effort in Coq 11311 . as we have not used very complicated dependent 
pattern matching. However, in future work we would like to embed proof -based access control following 
PCML5 |Q], which will require a modal universe with dependent types. Dependently typed universes are 
easiest to represent using induction-recursion Jl7ll . which Agda supports but Coq does not. 

In future work, we also plan to complete a proof that the operational semantics of ML5 are sound for 
the denotational semantics. We have formalized the operational semantics of A5 and an operational se- 
mantics for computations. We have also proved soundness, assuming a standard compositionality lemma 
(substitution of interpretations is the interpretation of the substitution), which we are in the process of 
formalizing. /3 -reduction in Agda validates the /3 -steps for functions, sums, etc. in the source. Because 
compositionality is really a property only of the binding structure of the language and the semantics, not 
of the particular language constructs, it should be possible to implement compositionality in a datatype- 
generic manner, as in Chlipala [12]. We also leave the question of full abstraction to future work. 
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